Resubmissions
30-06-2024 01:18
240630-bn62va1erg 1029-06-2024 22:53
240629-2t7tfaydje 1029-06-2024 22:33
240629-2gkhdayald 10Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 22:33
Behavioral task
behavioral1
Sample
Borat.rar
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Borat.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Borat/BoratRat.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Borat/BoratRat.exe
Resource
win10v2004-20240611-en
General
-
Target
Borat.rar
-
Size
9.6MB
-
MD5
e3b10d235c365ac49d6855df0432bb76
-
SHA1
4ce182c19796cf8d4c017fdd8fd4b390de1eac7e
-
SHA256
53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1
-
SHA512
bb91a4bf979516c2a19733772b4c34b09b45efbcec491f2fb62adde9222e6306ce32a17de3e6f9b3d7338a93f3d72e4747a23157675663f00e9f153bc4ec4704
-
SSDEEP
196608:XrmtNiLocMQin2MKY9U6Qw9w/ZpX4ff5c4lgg0:7mt5tn2y9Woff5c4G
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2644 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2644 vlc.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
vlc.exepid process 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
vlc.exepid process 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe 2644 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2644 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3048 wrote to memory of 2252 3048 cmd.exe rundll32.exe PID 3048 wrote to memory of 2252 3048 cmd.exe rundll32.exe PID 3048 wrote to memory of 2252 3048 cmd.exe rundll32.exe PID 2252 wrote to memory of 2644 2252 rundll32.exe vlc.exe PID 2252 wrote to memory of 2644 2252 rundll32.exe vlc.exe PID 2252 wrote to memory of 2644 2252 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Borat.rar1⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Borat.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Borat.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2644